PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3394 Oracle CVE debrief

CVE-2017-3394 affects the Oracle Advanced Outbound Telephony component in Oracle E-Business Suite, specifically the User Interface subcomponent. Oracle and NVD list affected supported versions as 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The issue is network reachable over HTTP, does not require authentication, and has a high CVSS v3.0 score of 8.2. Oracle’s description also notes that successful exploitation requires human interaction and may impact additional products beyond the vulnerable component.

Vendor
Oracle
Product
CVE-2017-3394
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Oracle E-Business Suite administrators, application security teams, and responders responsible for Advanced Outbound Telephony or related UI exposure, especially if the service is reachable over HTTP.

Technical summary

NVD records CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating a remote, low-complexity issue with no privileges required but with user interaction needed and a scope change. The source corpus does not name a specific CWE, listing NVD-CWE-noinfo. The vulnerable Oracle Advanced Outbound Telephony versions are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. Oracle states that successful attacks can lead to unauthorized access to critical data or full access to accessible data, plus unauthorized update, insert, or delete access to some accessible data.

Defensive priority

High

Recommended defensive actions

  • Identify every Oracle E-Business Suite instance running Advanced Outbound Telephony and confirm whether any affected version is deployed.
  • Apply the Oracle January 2017 CPU or the latest applicable Oracle security update referenced by the vendor advisory.
  • Reduce exposure of the affected interface, especially any HTTP-accessible paths, to trusted administrative networks only.
  • Treat any successful user interaction involving the affected UI as suspicious until the system is patched and validated.
  • Review access controls and logs for unexpected access, data exposure, or modification attempts against the affected component.
  • Prioritize remediation for Internet-facing or broadly reachable deployments because the vulnerability is unauthenticated and network exploitable.

Evidence notes

This debrief is based only on the supplied NVD record and the Oracle vendor-advisory reference in the corpus. The source data explicitly states the affected Oracle Advanced Outbound Telephony versions, the remote HTTP attack surface, the need for human interaction, the high CVSS v3.0 score of 8.2, and the potential for confidentiality and integrity impact. NVD also lists the weakness as NVD-CWE-noinfo, so no specific CWE is asserted here.

Official resources

Publicly disclosed in the January 2017 Oracle CPU referenced by NVD; the CVE record shows a published date of 2017-01-27T22:59:06.757Z and was later modified by NVD on 2026-05-13T00:24:29.033Z.